Page MenuHomePhabricator

Extend cfssl-issuer to return the Root CA certificate
Closed, ResolvedPublic

Description

Use case

The Machine Learning team uses Kserve, a Kubernetes ML stack that leverages webhooks to validate new/changed configs. The Kubernetes API needs to be able to call the HTTPs endpoint exposed by the webhook when needed, and hence it needs to trust the correct CA certificate to validate the webhook's TLS cert correctly.
We use cert-manager/cfssl-issuer to manage the webhook's certificate, using the PKI discovery intermediate. The main problem is that the CA cert is not inject as expected in the webhook's resources when needed.

The problem

In order to be able to inject the correct CA certificate, cert-manager (ca-injector) needs to read a ca.crt field in the K8s Secret created by the Certificate resource. After a chat with Janis, it seems that our cfssl-issuer plugin/implementation needs to call a specific cfssl api to gather the CA certificate.

Proposed change

client: https://github.com/wikimedia/cfssl/pull/4
server: https://gerrit.wikimedia.org/r/c/operations/software/cfssl-issuer/+/756546

Notes

We have forked (for the moment) cfssl and implemented https://github.com/cloudflare/cfssl/pull/1218, this use case is supported but the bundle flag needs to be true in the config to make everything working. Since this is not intuitive at first, we should also document it.

Event Timeline

Change 756546 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/software/cfssl-issuer@main] Make a bundle signer return it's root CA

https://gerrit.wikimedia.org/r/756546

Change 756616 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/software/cfssl-issuer@main] Add ca to multirootca.conf in simple-cfssl

https://gerrit.wikimedia.org/r/756616

Change 756616 merged by JMeybohm:

[operations/software/cfssl-issuer@main] Add ca to multirootca.conf in simple-cfssl

https://gerrit.wikimedia.org/r/756616

Change 756546 merged by JMeybohm:

[operations/software/cfssl-issuer@main] Make a bundle signer return it's root CA

https://gerrit.wikimedia.org/r/756546

Change 757462 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/docker-images/production-images@master] cfssl-issuer: Update to v0.2.1

https://gerrit.wikimedia.org/r/757462

Change 757462 merged by JMeybohm:

[operations/docker-images/production-images@master] cfssl-issuer: Update to v0.2.1

https://gerrit.wikimedia.org/r/757462

Mentioned in SAL (#wikimedia-operations) [2022-01-26T16:53:12Z] <jayme> published image docker-registry.discovery.wmnet/cfssl-issuer:0.2.1-1 - T299906

Change 757465 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] helmfile.d: set new cfssl-issuer version

https://gerrit.wikimedia.org/r/757465

Change 757465 merged by Elukey:

[operations/deployment-charts@master] helmfile.d: set new cfssl-issuer version

https://gerrit.wikimedia.org/r/757465

Updated cfssl-issuer is deployed to all clusters where it is currently active. Closing.

Change 762402 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/software/cfssl-issuer@main] Update vendor to latest wmf branch of cfssl

https://gerrit.wikimedia.org/r/762402

Change 762402 merged by JMeybohm:

[operations/software/cfssl-issuer@main] Update vendor to latest wmf branch of cfssl

https://gerrit.wikimedia.org/r/762402